On 5/02/2012 12:30 a.m., Jason Fitzpatrick wrote:
Morning all..
I have a requirement to have my squid servers authenticate users
before forwarding requests to an upstream server which does content
filtering based on the X-Forwarded headers in the requests and all
seems to be working quite well so far, (internal traffic is routed via
the squids without the need to authenticate)
I do have one issue though, clients that are unable to authenticate
(windows update / Java updates etc) and want to set up the system so
that it will attempt to authenticate the user, and if the
authentication fails the request is routed regardless
Is such a thing possible? I have tried all sorts of configurations but
the logic to the rules still escapes me!
This is a side case of security which seems to boggle many an admins
mind. The core of the problem is that missing credentials is only one
*sub-set* of all failed authentications. You cannot simply take "failed
auth" and assume its one of the "good" software which is failing. These
days it will quite frequently be someone malicious, possibly even
forging the "good" software user-agent header to get access.
In particular missing credentials is a type of failure indistinguishable
from an HTTP request which has not yet even been challenged for
credentials. HTTP is stateless so there is no way to identify two
clients sharing a downstream proxy and one client re-trying without
credentials. You must hard-code that distinction for the specific cases
you know of, thus all the well published config hacks.
Amos
